C.A.R.L.
Password ManagementVital Metric K · Pillar 3

Password management.

We don't manage passwords so much as we manage identity. Microsoft 365 is the source of truth — and every login passes through five gates before it arrives.

5
Conditional Access gates, enforced on every login
2
Managed credential stores — M365 and LastPass
1
Identity source of truth. One place to revoke access.
In one paragraph

We don't manage passwords so much as we manage identity. Microsoft 365 is the source of truth; every application either federates to it through single sign-on, or has its credentials held in LastPass. Either way, the door is the same — and it is gated.

Threat → Gates → PortalFive gates, one identity.
EXTERNAL SECURITY THREATMicrosoft 365IDENTITY2-FACTOR AUTHCOMPLIANT DEVICETRUSTED LOCATIONWHITELISTED COUNTRYSINGLE SIGN-ONAPPLICATIONSLASTPASS VAULTnon-federated appsmy.monocera.portalLAUNCHPAD12345TRUSTED PATHATTACK VECTOR

One identity. Two stores.

Three components · One ruleset
01 / TRUST ANCHOR

Microsoft 365

Identity provider

One directory, one set of credentials, one place to revoke. Conditional Access policies live here — country, device, network, and second factor are all enforced before any app sees the user.

02 / VAULT

LastPass

Password manager

For the long tail of apps that can't federate. Vault unlock is itself federated to Microsoft 365, so the gates above still apply. Passwords are generated, stored, and rotated — never typed, never reused, never shared in chat.

03 / FRONT DOOR

SSO Federation

Single sign-on

Every business app that supports SAML or OIDC is wired to Microsoft 365. Staff land on my.monocera.portal, click the tile, and are in. No passwords leave the identity layer.

Conditional Access

The five gates, in order.

A request from outside the organisation passes through every gate, in sequence. A failure at any gate ends the request — silently, with audit log.

  1. 1.Whitelisted CountryGeo-IP check. Approved jurisdictions only; everything else dropped at the edge.
  2. 2.Trusted LocationKnown networks (office, VPN, named home IPs) recognised; unknown ones face friction.
  3. 3.Compliant DeviceIntune-managed, encrypted, patched, AV present. No personal or unmanaged devices.
  4. 4.2-Factor AuthAuthenticator number-match. SMS and voice are not accepted second factors.
  5. 5.M365 IdentityThe token is minted here. Downstream apps trust M365; they never see the password.

Want to know where your identity posture actually stands?

A C.A.R.L. audit gives you a baseline across all 14 Vital Metrics — including Password Management — in a single session. No agents to pre-install, no access to hand over.